phpPackages.composer: 2.6.6 -> 2.7.1

Diff: https://github.com/composer/composer/compare/2.6.6..2.7.1
Changelog: https://github.com/composer/composer/releases/tag/2.7.1
Fix CVE: CVE-2024-24821
This commit is contained in:
Pol Dellaiera 2024-02-13 15:33:27 +01:00
parent 39502e7aa7
commit cf9e77ef8e
No known key found for this signature in database
GPG key ID: D476DFE9C67467CA
3 changed files with 18 additions and 43 deletions

View file

@ -83,28 +83,7 @@ composerInstallBuildHook() {
# Since this file cannot be generated in the composer-repository-hook.sh
# because the file contains hardcoded nix store paths, we generate it here.
composer-local-repo-plugin --no-ansi build-local-repo -m "${composerRepository}" .
# Remove all the repositories of type "composer" and "vcs"
# from the composer.json file.
jq -r -c 'del(try .repositories[] | select(.type == "composer" or .type == "vcs"))' composer.json | sponge composer.json
# Configure composer to disable packagist and avoid using the network.
composer config repo.packagist false
# Configure composer to use the local repository.
composer config repo.composer composer file://"$PWD"/packages.json
# Since the composer.json file has been modified in the previous step, the
# composer.lock file needs to be updated.
composer \
--lock \
--no-ansi \
--no-install \
--no-interaction \
${composerNoDev:+--no-dev} \
${composerNoPlugins:+--no-plugins} \
${composerNoScripts:+--no-scripts} \
update
composer-local-repo-plugin --no-ansi build-local-repo-lock -m "${composerRepository}" .
echo "Finished composerInstallBuildHook"
}
@ -151,9 +130,6 @@ composerInstallInstallHook() {
${composerNoScripts:+--no-scripts} \
install
# Remove packages.json, we don't need it in the store.
rm packages.json
# Copy the relevant files only in the store.
mkdir -p "$out"/share/php/"${pname}"
cp -r . "$out"/share/php/"${pname}"/

View file

@ -63,7 +63,7 @@ composerRepositoryBuildHook() {
# Build the local composer repository
# The command 'build-local-repo' is provided by the Composer plugin
# nix-community/composer-local-repo-plugin.
composer-local-repo-plugin --no-ansi build-local-repo ${composerNoDev:+--no-dev} -r repository
composer-local-repo-plugin --no-ansi build-local-repo-lock ${composerNoDev:+--no-dev} -r repository
echo "Finished composerRepositoryBuildHook"
}

View file

@ -1,11 +1,22 @@
{ lib, callPackage, fetchFromGitHub, fetchpatch, php, unzip, _7zz, xz, git, curl, cacert, makeBinaryWrapper }:
{ lib
, callPackage
, fetchFromGitHub
, php
, unzip
, _7zz
, xz
, git
, curl
, cacert
, makeBinaryWrapper
}:
php.buildComposerProject (finalAttrs: {
# Hash used by ../../../build-support/php/pkgs/composer-phar.nix to
# use together with the version from this package to keep the
# bootstrap phar file up-to-date together with the end user composer
# package.
passthru.pharHash = "sha256-cmACAcc8fEshjxwFEbNthTeWPjaq+iRHV/UjCfiFsxQ=";
passthru.pharHash = "sha256-H/0L4/J+I3sa5H+ejyn5asf1CgvZ7vT4jNvpTdBL//A=";
composer = callPackage ../../../build-support/php/pkgs/composer-phar.nix {
inherit (finalAttrs) version;
@ -13,27 +24,15 @@ php.buildComposerProject (finalAttrs: {
};
pname = "composer";
version = "2.6.6";
version = "2.7.1";
src = fetchFromGitHub {
owner = "composer";
repo = "composer";
rev = finalAttrs.version;
hash = "sha256-KsTZi7dSlQcAxoen9rpofbptVdLYhK+bZeDSXQY7o5M=";
hash = "sha256-OThWqY3m/pIas4qvR/kiYgc/2QrAbnsYEOxpHxKhDfM=";
};
patches = [
(fetchpatch {
name = "CVE-2024-24821.patch";
url = "https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7.patch";
hash = "sha256-Q7gkPLf59+p++DpfJZeOrAOiWePuGkdGYRaS/rK+Nv4=";
excludes = [
# Skipping test files, they are not included in the source tarball
"tests/*"
];
})
];
nativeBuildInputs = [ makeBinaryWrapper ];
postInstall = ''
@ -41,7 +40,7 @@ php.buildComposerProject (finalAttrs: {
--prefix PATH : ${lib.makeBinPath [ _7zz cacert curl git unzip xz ]}
'';
vendorHash = "sha256-50M1yeAKl9KRsjs34cdb5ZTBFgbukgg0cMtHTYGJ/EM=";
vendorHash = "sha256-NJa6nu60HQeBJr7dd79ATptjcekgY35Jq9V40SrN9Ds";
meta = {
changelog = "https://github.com/composer/composer/releases/tag/${finalAttrs.version}";